[Snort-sigs] Unknown IIS Issue
matt at ...2436...
Mon Jul 19 14:30:19 EDT 2004
Yes, I agree it does. In fact we had 2 rules on bleeding that both
covered it by just seeing the THCOWNZIIS string in the ssl stream. I was
just talking to 2 people today though that are not seieng both
signatures trip at the same time, which I assume should happen.
I'm getting 40 or 50 hits on the sig just looking for THCOWNZIIS that
look legitimate. They're in an ssl stream close to the beginning of the
conversation. But no hits on 2515 at the same time.
I haven't had time to look into it yet though. Once I do I'll send
packet dumps out to see if anyone has any odeas.
Matthew Watchinski wrote:
> From reading the ISC reports and looking at the packet payload sid:2515
> already covers this.
> Matthew Jonkman wrote:
>> ISC is tracking a potential new IIS ssl exploit. Put up a real quick
>> rule to see if it's going around:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE
>> THCOWNZIIS IIS SSL Exploit Attempt";
>> 7-17; content:"THCOWNZIIS!"; sid:2000559; rev:1;)
>> It's in the Bleeding Rules now, www.bleedingsnort.com. If anyone knows
>> more about it let us know please.
More information about the Snort-sigs